From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 242E4C433EF for ; Mon, 14 Feb 2022 15:23:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355760AbiBNPX3 (ORCPT ); Mon, 14 Feb 2022 10:23:29 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:50068 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351745AbiBNPX0 (ORCPT ); Mon, 14 Feb 2022 10:23:26 -0500 Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 432C44755A; Mon, 14 Feb 2022 07:23:19 -0800 (PST) Received: from in02.mta.xmission.com ([166.70.13.52]:38326) by out03.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nJdC9-0031ok-MP; Mon, 14 Feb 2022 08:23:17 -0700 Received: from ip68-227-174-4.om.om.cox.net ([68.227.174.4]:60362 helo=email.froward.int.ebiederm.org.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nJdC8-001VFM-6U; Mon, 14 Feb 2022 08:23:17 -0700 From: "Eric W. Biederman" To: Solar Designer Cc: linux-kernel@vger.kernel.org, Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Ran Xiaokai , Michal Koutn?? , stable@vger.kernel.org References: <87o83e2mbu.fsf@email.froward.int.ebiederm.org> <20220211021324.4116773-5-ebiederm@xmission.com> <20220212223638.GB29214@openwall.com> Date: Mon, 14 Feb 2022 09:23:09 -0600 In-Reply-To: <20220212223638.GB29214@openwall.com> (Solar Designer's message of "Sat, 12 Feb 2022 23:36:39 +0100") Message-ID: <87k0dxv5eq.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1nJdC8-001VFM-6U;;;mid=<87k0dxv5eq.fsf@email.froward.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.174.4;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18dw1lI1ntSwcqLdHM5MIlns4bu6PWfLKs= X-SA-Exim-Connect-IP: 68.227.174.4 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH 5/8] ucounts: Handle wrapping in is_ucounts_overlimit X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Solar Designer writes: > On Thu, Feb 10, 2022 at 08:13:21PM -0600, Eric W. Biederman wrote: >> While examining is_ucounts_overlimit and reading the various messages >> I realized that is_ucounts_overlimit fails to deal with counts that >> may have wrapped. >> >> Being wrapped should be a transitory state for counts and they should >> never be wrapped for long, but it can happen so handle it. >> >> Cc: stable@vger.kernel.org >> Fixes: 21d1c5e386bc ("Reimplement RLIMIT_NPROC on top of ucounts") >> Signed-off-by: "Eric W. Biederman" >> --- >> kernel/ucount.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/kernel/ucount.c b/kernel/ucount.c >> index 65b597431c86..06ea04d44685 100644 >> --- a/kernel/ucount.c >> +++ b/kernel/ucount.c >> @@ -350,7 +350,8 @@ bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsign >> if (rlimit > LONG_MAX) >> max = LONG_MAX; >> for (iter = ucounts; iter; iter = iter->ns->ucounts) { >> - if (get_ucounts_value(iter, type) > max) >> + long val = get_ucounts_value(iter, type); >> + if (val < 0 || val > max) >> return true; >> max = READ_ONCE(iter->ns->ucount_max[type]); >> } > > You probably deliberately assume "gcc -fwrapv", but otherwise: > > As you're probably aware, a signed integer wrapping is undefined > behavior in C. In the function above, "val" having wrapped to negative > assumes we had occurred UB elsewhere. Further, there's an instance of > UB in the function itself: While in cases like this we pass the value in a long, the operations on the value occur in an atomic_long_t. As atomic_long_t is implemented in assembly we do escape the problems of undefined behavior. > bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long rlimit) > { > struct ucounts *iter; > long max = rlimit; > if (rlimit > LONG_MAX) > max = LONG_MAX; > > The assignment on "long max = rlimit;" would have already been UB if > "rlimit > LONG_MAX", which is only checked afterwards. I think the > above would be better written as: > > if (rlimit > LONG_MAX) > rlimit = LONG_MAX; > long max = rlimit; > > considering that "rlimit" is never used further in that function. Thank you for spotting that. That looks like a good idea. Even if it works in this case it is better to establish patterns that are not problematic if copy and pasted elsewhere. > And to more likely avoid wraparound of "val", perhaps have the limit at > a value significantly lower than LONG_MAX, like half that? So: For the case of RLIMIT_NPROC the real world limit is PID_MAX_LIMIT which is 2^22. Beyond that the code deliberately uses all values with the high bit/sign bit set to flag that things went too high. So the code already reserves half of the values. > I assume that once is_ucounts_overlimit() returned true, it is expected > the value would almost not grow further (except a little due to races). Pretty much. The function essentially only exists so that we can handle the weirdness of RLIMIT_NPROC. Now that I have discovered the weirdness of RLIMIT_NPROC is old historical sloppiness I expect the proper solution is to rework how RLIMIT_NPROC operates and to remove is_ucounts_overlimit all together. I have to figure out what a proper RLIMIT_NPROC check looks like in proc. Eric